All-in-one proximity payment device with local authentication

ABSTRACT

A personal powered proximity payment device that can be owned by or issued to an individual user is provided. The device can be a non-ISO card device that includes an internal dual-mode (contact and contactless) chip card coupled to a display and a robust PIN entry or biometric reading means. The device can provide proximity payment functions, and optional proximity payment on/off and local pre-purchase account holder verification functions to individual users.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a divisional of U.S. patent application Ser. No.12/303,773, filed Nov. 5, 2010, which U.S. National Phase under 35U.S.C. §371 of International Patent Application Ser. No.PCT/US07/070679, filed Jun. 8, 2007, which claims priority to U.S.Provisional Application Ser. No. 60/811,982, filed Jun. 8, 2006, each ofwhich is incorporated by reference herein in its entirety.

BACKGROUND OF THE INVENTION

Smart card technology is fast becoming commonplace in our culture anddaily lives. A smart card is a card that is embedded with either amicroprocessor and a memory chip or only a memory chip withnon-programmable logic. The microprocessor card can add, delete, andotherwise manipulate information on the card, while a memory-chip card(for example, pre-paid phone cards) can only undertake a pre-definedoperation. Smart cards, unlike magnetic stripe cards, can carry allnecessary functions and information on the card. Therefore, they do notrequire access to remote databases at the time of the transaction.

Smart cards, which are also generally referred to by the industry as“microprocessor cards” or “chip cards,” offer greater memory storage andsecurity of data than traditional magnetic stripe cards. Smart cards mayhave up to 8 kilobytes of RAM, 346 kilobytes of ROM, 256 kilobytes ofprogrammable ROM, and a 16-bit microprocessor. A smart card uses aserial interface and receives its power from external sources like acard reader. The processor uses a limited instruction set forapplications such as cryptography. Smart cards are used for a variety ofapplications, especially those that have cryptography built in, whichrequire manipulation of large numbers. Thus, smart cards have been themain platform for cards that hold a secure digital identity. The mostcommon smart card applications are:

-   -   Credit cards    -   Electronic cash    -   Computer security systems    -   Wireless communication    -   Loyalty systems (like frequent flyer points)    -   Banking    -   Satellite TV    -   Government identification

Delivering security—i.e., ensuring access is granted only for authorizedusage by authorized cardholders—is the fundamental attribute of smartcards. The effectiveness of smart cards in delivering security is one ofthe reasons they have been so widely adopted, especially in financialservices and mobile phones, why the growth of smart cards has beenexplosive, and why their usage is expected to expand rapidly for otherapplications such as personal identity cards, access to payTV/entertainment, health care services and transportation. AssigneeMasterCard makes smart card-based authentication solutions (e.g., aprogram called the Chip Authentication Program (CAP)) available to cardissuers. CAP can also be used for Internet banking and otherapplications requiring positive cardholder authorization. (See, e.g.,Rutherford et al., International Patent Publication No. W0/2005/001618,Wankmueller et al., International Patent Publication No. W0/2003/081832,and Harris et al., International Patent Publication No W0/2001/027887,all of which publications are incorporated by reference herein).

For contactless payment card systems to be economically viable and togain commercial acceptance, the contactless payment cards must beinteroperable at all or most RFID-enabled payment terminals, even whenthe cards and terminals have technological features that are proprietaryto specific card providers/issuers, vendors or terminal manufacturers.Industry-wide interoperability is desirable. Towards this end, industrystandards organizations and groups (e.g., International Organization forStandards (ISO) and International Electro Technical Committee (IEC))have formulated voluntary industry standards for implementation ofcontactless smart card payment technologies. Three such exemplarystandards which have been defined by ISO/IEC are the ISO/IEC 10536,ISO/IEC 14443, and ISO/IEC 15693 standards applicable to Close Coupling,Proximity and Vicinity cards, respectively.

Recently, assignee MasterCard International Incorporated (“MasterCard”)has developed proprietary specifications, including MasterCard PayPass™ISO/IEC 14443 Implementation Specification (“Pay Pass”), forimplementation of proximity (contactless) payment card technologies.PayPass is an RF-enabled contactless payment platform, which lets userstap or wave a device in front of a special reader in order to process atransaction. The PayPass implementations are consistent with the ISO/IEC14443 Standard and provide a convenient example illustrating theprinciples of the present invention. (See, e.g., Smets et al., U.S.Patent Application Ser. Nos. 11/182,354, 11/182,357, 111182,358,11/182,356, 11/182,355, and 11/182,351, all filed Jul. 15, 2005 and allof which are incorporated by reference herein).

In addition to contactless technologies that are standardized under ISO14443, a number of proprietary contactless interfaces are also used inthe industry (e.g., Cubic's GO-Card and Sony's Felica card). Withexisting card technology deployments, interoperability can be an issue.Card readers deployed by vendors in the marketplace should preferablyaccommodate several different card types. For example, a desirable cardreader would support ISO 14443 cards, any additional proprietary cardtypes and also existing “contact” payment cards. A method and system forconducting transactions using a payment card with two differenttechnologies is described in Wankmueller U.S. Pat. No. 6,857,566, whichis incorporated by reference herein in its entirety.

Consideration is now being given to enhancing electronic paymentsolutions and devices. Attention is being directed to non-standardelectronic payment devices with a view to integrating the features ofboth contact and non-contact payment devices.

Further features of the invention, its nature and various advantageswill be more apparent from the accompanying drawings and the followingdetailed description.

SUMMARY OF THE INVENTION

Proximity payment devices and methods with local authentication featuresfor facilitating proximity payment transactions are provided.

An exemplary proximity payment device (“all-in-one” proximity paymentdevice) includes an internal dual-mode (contact and contactless) chipcard. The all-in-one device further includes an ISO 14443 antennaconnected to the chip card for contactless operation. Further, thedual-mode chip card includes proximity payment applications (such asMasterCard's PayPass application) for contactless operation. The contactportions of the chip have integrated PIN entry and/or biometric readercapability (e.g., via chip contact plates). The chip is configured toprovide local verification of the PIN or biometric signature submittedby a user. The dual-mode chip card includes contact chip applications(e.g., MasterCard's CAP user authentication application) for thispurpose and other purposes.

The local verification feature of the all-in-one device advantageouslyeliminates the need to have the proximity device/account holder (e.g., aPayPass payment account holder) enter his or her PayPass payment accountPIN or biometric signature into a separate merchant device for making aproximity payment transaction. The feature also advantageously dispenseswith the need to have a separate PIN entry device at the merchant pointof interaction. Instead, the PIN or biometric signature can be submittedor entered in the account holder's own device. The all-in-one deviceallows PayPass transactions of any dollar size to be transacted withoutrequiring merchants to deploy any user transaction verification hardware(e.g., PIN Pads or biometric readers).

In a method for making a customer-merchant transaction using theall-in-one device, the merchant terminal (or POS device, ATM, etc.)receives a transaction that has already been approved or signed by theconsumer. Thus, the merchant POS device does not have to prompt thecustomer for PIN or a biometric signature entry. In one embodiment, theall-in-one device generates a chip produced Cardholder VerificationResult (PIN-Flag), which is sent to the all-in-one device issuer and isof use only for the upcoming payment transaction.

In an embodiment of the invention, the all-in-one device is abattery-powered PayPass device having a display and PIN entry orbiometric reading capability. The device is a “non-ISO card” device thatuses an internal dual-mode (contact and contactless) chip card. Thebattery-powered PayPass device has the usual PayPass functions and mayfurther have an optional PayPass on/off switching function and anoptional PayPass pre-purchase account holder verification function. Thebeneficial features of this all-in-one device include: a) the use of thedisplay, and b) PIN entry or biometric reader capability of the devicefor a number of optional controls of the PayPass payment application.

In the operation of this all-in-one device, a user can activate thePayPass on/off function (e.g., by manually depressing a “power on”switch or pushbutton) to enable proximity PayPass chipcommunications/functionality for a desired time period. Alternatively,the user can enter a code or biometric to enable proximity PayPass chipcommunications/functionality for a suitably specified time period uponsuccessful local verification by the chip. The user enters their accountPIN code or biometric (e.g., via device pushbuttons), which iscommunicated internally or locally to the device chip via chip physicalcontact plates or leads. The account code PIN code or biometric islocally checked by the chip. Upon successful verification, the proximityPayPass functionality of the device is enabled by the chip, whichadditionally produces a unique one-time use cryptogram PIN-Flag. Theone-time use cryptogram PIN-Flag, which may, for example, be up to 8bytes long or a fraction thereof, is converted to digit format usingPayPass conversion methods for display. Thus, the all-in-one device,which may be personally owned by (or issued to) an individual user,allows the user to “pre-sign” a PayPass transaction.

BRIEF DESCRIPTION OF THE DRAWINGS

Further features and advantages of the disclosed subject matter willbecome apparent from the following detailed description taken inconjunction with the accompanying figures showing illustrativeembodiments of the disclosed subject matter, in which:

FIG. 1 is an exemplary schematic illustration of an all-in-one paymentdevice based on a non-ISO contact payment device, which is configured toadditionally have contactless payment capabilities, in accordance withthe principles of the present invention. A chip card with an RF antennaprovides non-contactless proximity payment capabilities.

FIG. 2 is a flow diagram illustrating exemplary steps in proximitypayment transaction using local authentication features of the device ofFIG. 1, in accordance with the principles of the present invention.

DESCRIPTION OF THE INVENTION

An all-in-one payment device is provided. The all-in-one payment devicehas operational features of both a contact payment device and anon-contact (i.e., proximity) payment device. The all-in-one paymentdevice need not conform to ISO specifications.

The invention is described herein using MasterCard's branded PayPassproximity devices and applications as illustrative examples, with theunderstanding that the present invention is not limited to the examplesused herein, but is also applicable to other types of paymentapplications, instruments or devices that may be used in proximitypayment transactions.

In an embodiment of the invention shown in FIG. 1, an exemplary non-ISOdevice (e.g., a portable contact payment card device or token 100,FIG. 1) further includes a microelectronic chip card 110. Portablecontact payment card device or token 100 may, for example, be fabricatedby modifying a commercially available non-ISO device (e.g., modelsXi-Sign sold by Almex Ltd., 3853 Trelawny Circle, Mississauga, Ontario,Canada L5N 684). Chip card 110 includes an RF antenna (e.g., a PayPassantenna) and a proximity payment application (e.g., a PayPassapplication) disposed on it. Further, a suitable authentication program(e.g., MasterCard's two-factor Chip Authentication Program (CAP)) isdisposed on the same chip card. The device 100 can be configured fordual-mode operation (i.e., contact and contactless modes), whichincludes an account holder verification method based on verification ofa PIN entry made via pushbutton keyboard 120. Alternatively oradditionally, the device can be configured with a biometric entry forsuitable biometric verification of user identity. The device can alsoinclude a feedback mechanism, which can be configured to inform a userwhether a verification entry (PIN or biometric) is or is not accepted bythe device. An alphanumeric display 130 can provide the informationvisually.

Device 100 enables merchants to accept contact card transactions andcontactless smartcard transactions (e.g., PayPass transactions) and canbe readily integrated with existing POS, ECR or PC devices viaconventional wireless or wired links (e.g., a USB link).

Advantageously, device 100 can provide a transaction that has been“pre-signed.” For example, in a preferred embodiment of the device, thispre-signing can be obtained by combining the fast and easy Tap & Gopayment feature of a Point of Sale PayPass application and a userauthentication application that is traditionally used innon-face-to-face transaction environments (e-commerce environments). Inthe preferred embodiment, the latter authentication application caninclude robust PIN entry features and within the chip PIN validationservice (e.g., CAP).

For PayPass POS transactions, device 100 can provide account holderauthentication within the device itself. This capability cabadvantageously eliminate the need to have the account holder enter hisor her PayPass payment account PIN in a separate merchant POS Pin Pad.

FIG. 2 shows an exemplary method 200 of using device 100 for a PayPasspayment to a merchant. In method 200, at step 210 the account holderenters his or her payment account PIN code digits utilizing the PINentry capabilities of device 100 (e.g., via pushbutton keyboard 120),before the account holder interacts with the merchant's PayPass Point ofSale (POS) device or other PayPass accepting device (step 290). Atsubsequent or concurrent step 220, the account holder sees (or receivesother feedback) that the PIN digits entries are being received by device100. For example, display 130 can indicate the PIN digits as they arebeing entered by the account holder by visual and/or audio signal. In apreferred embodiment, an asterisk is displayed for each digit of the PINentered.

At step 230, the entered PIN code is sent to the chip in device 100 viaconventional chip contact plates or leads for validation within thechip. At step 240, PayPass application functionality is enabled only ifthe validation at step 230 indicates that the PIN is correct. Thus,steps 230 and 240 jointly provide at the same time a secure on/offfeature for proximity payment as well as the user authentication featureof a Pay Pass user.

For a preferred embodiment of process 200, the PayPass application isconfigured to send, at step 250, a “verification status” indicator in astandard PayPass message protocol field to the PayPass accepting device(e.g., merchant POS device). The verification status indicator informsthe accepting device that device 100/PayPass chip 110 has alreadyverified the user and has produced Cardholder Verification Results (CVR)(e.g., PIN-Flag).

The verification status indicator can, for example, have a tag, length,and value format (TLV format), similar to EMV. In a particular example,the tag element can use EMV conventions and accordingly can use the 4characters ‘9F34’ to indicate to the terminal that the chip has producedCardholder Verification Results (CVR). This Cardholder VerificationResults “PIN-Flag” value can be placed in any suitable or availablefield portion of the PayPass or EMV “ARQC” cryptogram, which portion canthen converted to display digit format according to, for example,PayPass binary display data conversion methods. It will be understoodthat there is no security need to encrypt this value since it is not theuser's PIN, but is only an indication that the PayPass chip card 110itself has just verified the PIN. Unlike a compromised PIN, theindicator value itself cannot be used to establish user identity.

With renewed reference to FIG. 2, in process 200 at step 260, themerchant's PayPass accepting device responds to the receipt of thisspecial PIN-Flag field. The response can, for example, be any one of oneof two responses A and B according to whether the tag value is anunsigned value or a digitally signed value, respectively.

Response A (unsigned value)

In a preferred embodiment, if the tag value is ‘9F34’ (which it is not aPKI based digitally signed value), the merchant's POS device learns byreceiving this “tag” value that the PayPass transaction has a “userentered and a local device (i.e., device 10) verified” PIN for thetransaction. At step 262 a, the merchants' POS device sends the “flagvalue” to the issuer for validation. In this option, the payment deviceissuer can verify if the PIN-Flag value field is correct. For thispurpose at step 262 a, the POS terminal sends a normal onlineauthorization message with this PIN-Flag value populated in anyconvenient banking network message field, for example, by using DataElement (DE) #55 (chip data) or MasterCard's field DE #48 (UCAF data),or ISO DE 52 (PIN Data) field, or any other data field as appropriatefor the network.

Response B (digitally signed value)

If the tag value is a PKI based digitally signed flag value, forexample, ‘9F35’, the merchant's POS device learns by receiving this tagvalue that the PayPass transaction has a user-entered PIN valueassociated with the transaction and which PIN value has been verified bylocal device 100. Unlike the case of the unsigned values (step 262 a),the signed flag value is not sent to the issuer for validation. Instead,at step 262 b, the flag value is checked or verified locally within thePOS device environment. For this purpose, the POS device receives the“PKI private key” signed PIN-Flag field. In a preferred embodiment, thePayPass chip card sends to the merchants' PayPass POS reader its EMVchip card Issuer public key EMV certificate (step 261). The merchants'PayPass POS device verifies the chip card's Issuer public keycertificate using its EMV root certificate for the account paymentbrand. If good, the POS device then uses the just checked chip card'sIssuer public key certificate over the signed PIN-Flag field to verifythe PIN-Flag value using normal PKI signature verification techniques.

In this manner at step 262 b, the merchants' PayPass POS device locallychecks or verifies offline that the PIN-Flag value is valid. If thevalue is valid, subsequent processing of the payment transaction canproceed as for an offline signed transaction. The merchants' PayPass POSdevice also learns that it does not need to authenticate the user byprompting the user for a PIN code or signature or biometric entry.

With renewed reference to FIG. 1, it is noted that exemplary device 100as shown can be obtained by modifying a particular Xiring device (e.g.,a Xiring Smart Token 1000). The Xiring devices have a battery, adisplay, and a general numeric entry capability for PIN entry and/orentry of additional transaction specific data. These devices also haveone or more buttons (e.g., an enter key or navigation buttons), whichpower the device unit on or off and control the device's operation. Thecommercially available Xiring 1000 device can be a self-containedproduct that features a Chip Authentication Program-compliant chip. Auser enters his or her PIN into the device, which then creates a unique,one-time code. That code permits the user to conduct online banking ore-commerce transactions at suitably-enabled merchant sites. The one-timecode that is generated, based on EMV and CAP, only works once, thenbecomes null upon the completion of the transaction.

To fabricate all-in-one device 100, a commercial Xiring 1000 device ismodified by adding a PayPass antenna (not shown) and replacing theexisting “contact only” chip in the commercial Xiring 1000 device with adual-mode (contact and contactless) chip which supports PayPassfunctionality.

In addition to these hardware changes, optional CVM function softwarechanges can be made to the PayPass payment application for CVMvalidation. The resulting device 100 is a small “CAP capable”self-powered non-card form factor device. The modified device is acombination unit with an “all-in-one” CAP device with additional PayPassfunctionality, which has cardholder authentication and PayPass paymentability.

All-in-one device 100 and its implementations can be backwardscompatible with existing electronic payment infrastructure. Merchantterminals and PayPass readers, which are configured to process thecryptogram (i.e., a flag), will process the flag placed in thedesignated proximity protocol message field. Conversely, legacyterminals will ignore the designated proximity protocol message fieldand its contents (i.e., the flag) and otherwise process the transactiondata in the usual manner.

In a preferred embodiment of this option, the cryptogram can be coded intag, length, value (TLV) format, similar to EMV. This tag (hex ‘9F34’)can indicate to the merchant terminal that the chip has produced aCardholder Verification Result (CVR). The chip CVR cryptogram is uniquefor the upcoming transaction. The CVR result can be produced using otherinput data different from the input data used to create the PayPasscryptogram, but preferably is logically linked to the upcoming paymenttransaction cryptogram by using the same chip transaction counter. Asanother option, the CVR cryptogram can be a non-overlapping portion of alarger cryptogram used to create the PayPass cryptogram for the paymenttransaction.

This chip created cryptogram provides proof that the chip has completedaccount holder verification and the cryptogram (i.e., a flag) can bepassed to the PayPass reader in a convenient proximity protocol messagefield. This account holder verification value can be subsequently sentto the card issuer in an existing 0100 authorization message field suchas DE 55 (data element 55), or the MasterCard UCAF field, or the ISO DE52 (PIN Data) field. There is no need to encrypt this CVR cryptogramindicator value since it is not the user's PIN but a verifiable (by theissuer) value which indicates that the PayPass chip has already locallyverified the PIN or user provided biometric in the user device, not inany merchant point of sale equipment. Upon receiving the normalauthorization message with this CVR cryptogram, it is an issuer optionto verify if the value is correct.

In an alternate embodiment, dual-mode operation of the all-in-one devicecan exploit EMV PKI for card and PIN-Flag authentication. In thisembodiment, the all-in-one device, which is associated with an EMVpublic key, can sign the cryptogram (i.e., flag) using its private key.The EMV PayPass reader or terminal, using EMV PKI certificates andprocedures, can verify or validate the signature of the particularPIN-Flag. After the validity of the signature has been validated, thedevice can go offline, and further transaction data processing canproceed in the usual EMV off-line manner on the basis that authorizationwas given by the user's smart card.

Although the present invention has been described in connection withspecific exemplary embodiments, it should be understood that variouschanges, substitutions, and alterations apparent to those skilled in theart can be made to the disclosed embodiments without departing from thespirit and scope of the invention.

What is claimed is:
 1. A proximity payment device comprising: adual-mode chip card, the dual-mode chip card configured to performeither or both of contact or contactless operations; a radio-frequency(RF) antenna and a proximity payment application disposed on the chipcard, the RF antenna and the proximity payment application providingproximity payment functionality; a proximity payment functionalityon-off mechanism; at least one of a manual PIN code and biometricidentifier entry device; and at least one of a PIN code and biometricidentifier authentication program disposed on the chip card, the atleast one of the PIN code and biometric identifier authenticationprogram being operatively coupled to the at least one of the manual PINcode and biometric identifier entry device.
 2. The device of claim 1,wherein the proximity payment functionality on-off mechanism is auser-operable on-off switch.
 3. The device of claim 1, wherein theproximity payment functionality on-off mechanism is responsive to localor internal chip verification of at least one of an entered PIN code andan entered biometric identifier for a payment transaction.
 4. The deviceof claim 1, wherein the dual-mode card is configured to generate aunique one-time use flag in response to successful local or internalchip verification of at least one of an entered PIN code and an enteredbiometric identifier for a proximity payment transaction.
 5. The deviceof claim 1, further comprising at least one of wired links and wirelesslinks to a merchant's point-of-sale (POS) device, and wherein the deviceis further configured to send a unsigned verification status indicatorin a standard proximity payment message protocol over the links to thePOS device.
 6. The device of claim 1, further comprising at least one ofwired links to a merchant's point-of-sale (POS) device, and wherein thedevice is further configured to send a digitally signed verificationstatus indicator in a standard proximity payment message protocol overthe links to the POS device.
 7. The device of claim 1, furthercomprising a display for communicating transaction information includingPIN entry status and verification flags to the device user.